Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-9511

Valgrind warnings 'Invalid read' in Field_newdate::cmp and Field_newdate::val_str

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 10.0(EOL), 10.1(EOL)
    • 10.0.24
    • OTHER
    • None

    Description

      Reproducible on a debug valgrind build (-DCMAKE_BUILD_TYPE=Debug -DWITH_VALGRIND=YES).

      CREATE TABLE t1 (f1 DATE, f2 VARCHAR(1));
      		 
      INSERT INTO t1 VALUES ('2003-04-27','a'),('1900-01-01','a');
      		 
      SELECT GROUP_CONCAT(f2, IF(f1, f2, f1), f1 ORDER BY 2,1,3) FROM t1;
      		 

      ==6374== Invalid read of size 4
      		 
      ==6374==    at 0x83F4FC: Field_newdate::cmp(unsigned char const*, unsigned char const*) (field.cc:5940)
      		 
      ==6374==    by 0x911CA1: group_concat_key_cmp_with_order (item_sum.cc:3069)
      		 
      ==6374==    by 0xE47BD4: tree_insert (tree.c:211)
      		 
      ==6374==    by 0x912CD0: Item_func_group_concat::add() (item_sum.cc:3404)
      		 
      ==6374==    by 0x9142CA: Aggregator_simple::add() (item_sum.h:670)
      		 
      ==6374==    by 0x6E0C82: Item_sum::aggregator_add() (item_sum.h:519)
      		 
      ==6374==    by 0x6D8301: update_sum_func(Item_sum**) (sql_select.cc:22612)
      		 
      ==6374==    by 0x6CFBB9: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:19140)
      		 
      ==6374==    by 0x6CCFB6: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:18050)
      		 
      ==6374==    by 0x6CCA6C: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:17867)
      		 
      ==6374==    by 0x6CC14C: do_select(JOIN*, List<Item>*, TABLE*, Procedure*) (sql_select.cc:17490)
      		 
      ==6374==    by 0x6A9311: JOIN::exec_inner() (sql_select.cc:3084)
      		 
      ==6374==    by 0x6A6709: JOIN::exec() (sql_select.cc:2373)
      		 
      ==6374==    by 0x6A9B92: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3308)
      		 
      ==6374==    by 0x69FE08: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:373)
      		 
      ==6374==    by 0x674727: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5304)
      		 
      ==6374==  Address 0xd3927bd is 77 bytes inside a block of size 80 alloc'd
      		 
      ==6374==    at 0x4C291E0: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      		 
      ==6374==    by 0xE3B66E: my_malloc (my_malloc.c:100)
      		 
      ==6374==    by 0xE2FC50: alloc_root (my_alloc.c:180)
      		 
      ==6374==    by 0xE47D42: tree_insert (tree.c:244)
      		 
      ==6374==    by 0x912CD0: Item_func_group_concat::add() (item_sum.cc:3404)
      		 
      ==6374==    by 0x9142CA: Aggregator_simple::add() (item_sum.h:670)
      		 
      ==6374==    by 0x6E0C82: Item_sum::aggregator_add() (item_sum.h:519)
      		 
      ==6374==    by 0x6E0B6D: Item_sum::reset_and_add() (item_sum.h:417)
      		 
      ==6374==    by 0x6D8299: init_sum_functions(Item_sum**, Item_sum**) (sql_select.cc:22594)
      		 
      ==6374==    by 0x6CFB3C: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:19133)
      		 
      ==6374==    by 0x6CCFB6: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:18050)
      		 
      ==6374==    by 0x6CC8D8: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:17828)
      		 
      ==6374==    by 0x6CC14C: do_select(JOIN*, List<Item>*, TABLE*, Procedure*) (sql_select.cc:17490)
      		 
      ==6374==    by 0x6A9311: JOIN::exec_inner() (sql_select.cc:3084)
      		 
      ==6374==    by 0x6A6709: JOIN::exec() (sql_select.cc:2373)
      		 
      ==6374==    by 0x6A9B92: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3308)
      		 

      ==6374==    at 0x83F1C1: Field_newdate::val_str(String*, String*) (field.cc:5897)
      		 
      ==6374==    by 0x5C6DF2: Field::val_str(String*) (field.h:417)
      		 
      ==6374==    by 0x913E10: Field::val_str(String*, unsigned char const*) (field.h:832)
      		 
      ==6374==    by 0x911F1A: dump_leaf_key (item_sum.cc:3128)
      		 
      ==6374==    by 0xE48A93: tree_walk_left_root_right (tree.c:552)
      		 
      ==6374==    by 0xE48A44: tree_walk_left_root_right (tree.c:551)
      		 
      ==6374==    by 0xE489DB: tree_walk (tree.c:539)
      		 
      ==6374==    by 0x913A4F: Item_func_group_concat::val_str(String*) (item_sum.cc:3640)
      		 
      ==6374==    by 0x87DEB4: Item::send(Protocol*, String*) (item.cc:6508)
      		 
      ==6374==    by 0x5C489B: Protocol::send_result_set_row(List<Item>*) (protocol.cc:903)
      		 
      ==6374==    by 0x632F9A: select_send::send_data(List<Item>&) (sql_class.cc:2556)
      		 
      ==6374==    by 0x6CF93E: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:19077)
      		 
      ==6374==    by 0x6CC6A7: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:17782)
      		 
      ==6374==    by 0x6CC199: do_select(JOIN*, List<Item>*, TABLE*, Procedure*) (sql_select.cc:17493)
      		 
      ==6374==    by 0x6A9311: JOIN::exec_inner() (sql_select.cc:3084)
      		 
      ==6374==    by 0x6A6709: JOIN::exec() (sql_select.cc:2373)
      		 
      ==6374==  Address 0xd39284d is 77 bytes inside a block of size 80 alloc'd
      		 
      ==6374==    at 0x4C291E0: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      		 
      ==6374==    by 0xE3B66E: my_malloc (my_malloc.c:100)
      		 
      ==6374==    by 0xE2FC50: alloc_root (my_alloc.c:180)
      		 
      ==6374==    by 0xE47D42: tree_insert (tree.c:244)
      		 
      ==6374==    by 0x912CD0: Item_func_group_concat::add() (item_sum.cc:3404)
      		 
      ==6374==    by 0x9142CA: Aggregator_simple::add() (item_sum.h:670)
      		 
      ==6374==    by 0x6E0C82: Item_sum::aggregator_add() (item_sum.h:519)
      		 
      ==6374==    by 0x6D8301: update_sum_func(Item_sum**) (sql_select.cc:22612)
      		 
      ==6374==    by 0x6CFBB9: end_send_group(JOIN*, st_join_table*, bool) (sql_select.cc:19140)
      		 
      ==6374==    by 0x6CCFB6: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:18050)
      		 
      ==6374==    by 0x6CCA6C: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:17867)
      		 
      ==6374==    by 0x6CC14C: do_select(JOIN*, List<Item>*, TABLE*, Procedure*) (sql_select.cc:17490)
      		 
      ==6374==    by 0x6A9311: JOIN::exec_inner() (sql_select.cc:3084)
      		 
      ==6374==    by 0x6A6709: JOIN::exec() (sql_select.cc:2373)
      		 
      ==6374==    by 0x6A9B92: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:3308)
      		 
      ==6374==    by 0x69FE08: handle_select(THD*, LEX*, select_result*, unsigned long) (sql_select.cc:373)

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          elenst Elena Stepanova added a comment -

          Similar crash on a non-debug build (not with the same test case):

          #2  <signal handler called>
          		 
          #3  Field_newdate::cmp (this=0x7f3f91f185a0, a_ptr=0x7f3f90fffffd "D\243\017"<error: Cannot access memory at address 0x7f3f91000000>, b_ptr=0x7f3f9205314e "D\243\017\312Ă”?\177") at /home/elenst/git/bb-10.1-mdev-9304/sql/field.cc:6394
          		 
          #4  0x00007f3fbfc41720 in group_concat_key_cmp_with_order (arg=<optimised out>, key1=0x7f3f90ffffd0, key2=0x7f3f92053121) at /home/elenst/git/bb-10.1-mdev-9304/sql/item_sum.cc:2975
          		 
          #5  0x00007f3fbffe9314 in tree_insert (tree=0x7f3f91ec7770, key=0x7f3f92053121, key_size=0, custom_arg=0x7f3f91ec7620) at /home/elenst/git/bb-10.1-mdev-9304/mysys/tree.c:211
          		 
          #6  0x00007f3fbfc45919 in Item_func_group_concat::add (this=0x7f3f920b0120) at /home/elenst/git/bb-10.1-mdev-9304/sql/item_sum.cc:3313
          		 
          #7  0x00007f3fbfa86061 in aggregator_add (this=<optimised out>) at /home/elenst/git/bb-10.1-mdev-9304/sql/item_sum.h:521
          		 
          #8  update_sum_func (func_ptr=0x7f3f91d42de0) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:23152
          		 
          #9  end_send_group (join=0x7f3f91dd7620, join_tab=<optimised out>, end_of_records=<optimised out>) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:19608
          		 
          #10 0x00007f3fbfa6c536 in evaluate_join_record (join=join@entry=0x7f3f91dd7620, join_tab=join_tab@entry=0x7f3f91cc27a0, error=error@entry=0) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:18506
          		 
          #11 0x00007f3fbfa73885 in sub_select (join=0x7f3f91dd7620, join_tab=0x7f3f91cc27a0, end_of_records=<optimised out>) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:18320
          		 
          #12 0x00007f3fbfa812cd in do_select (join=join@entry=0x7f3f91dd7620, fields=fields@entry=0x7f3f91dd7a78, table=table@entry=0x0, procedure=0x0) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:17936
          		 
          #13 0x00007f3fbfa90340 in JOIN::exec_inner (this=0x7f3f91dd7620) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:3228
          		 
          #14 0x00007f3fbfa921f7 in JOIN::exec (this=0x7f3f91dd7620) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:2518
          		 
          #15 0x00007f3fbfa8e944 in mysql_select (thd=thd@entry=0x7f3f99ad7008, rref_pointer_array=rref_pointer_array@entry=0x7f3f99adb2a8, tables=0x7f3f91c35a20, wild_num=<optimised out>, fields=..., conds=<optimised out>, og_num=2, order=0x7f3f92171490, group=0x0, having=0x0, proc_param=0x0, select_options=2147781376, result=result@entry=0x7f3f6f565760, unit=unit@entry=0x7f3f99ada8d0, select_lex=select_lex@entry=0x7f3f99adafe0) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:3451
          		 
          #16 0x00007f3fbfa8f4f4 in handle_select (thd=thd@entry=0x7f3f99ad7008, lex=lex@entry=0x7f3f99ada808, result=result@entry=0x7f3f6f565760, setup_tables_done_option=setup_tables_done_option@entry=0) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:384
          		 
          #17 0x00007f3fbfa3a9f9 in execute_sqlcom_select (thd=thd@entry=0x7f3f99ad7008, all_tables=0x7f3f91c35a20) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_parse.cc:5902
          		 
          #18 0x00007f3fbfa46cb0 in mysql_execute_command (thd=thd@entry=0x7f3f99ad7008) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_parse.cc:2961
          		 
          #19 0x00007f3fbfa49f06 in mysql_parse (thd=0x7f3f99ad7008, rawbuf=<optimised out>, length=<optimised out>, parser_state=0x7f3f9136c1e0) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_parse.cc:7302
          		 
          #20 0x00007f3fbfa4ceed in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f3f99ad7008, packet=packet@entry=0x7f3f99add009 "", packet_length=packet_length@entry=1020) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_parse.cc:1487
          		 
          #21 0x00007f3fbfa4d681 in do_command (thd=0x7f3f99ad7008) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_parse.cc:1109
          		 
          #22 0x00007f3fbfb0228c in do_handle_one_connection (thd_arg=thd_arg@entry=0x7f3f99ad7008) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_connect.cc:1349
          		 
          #23 0x00007f3fbfb02407 in handle_one_connection (arg=0x7f3f99ad7008) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_connect.cc:1261
          		 
          #24 0x00007f3fbdf0be9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
          		 
          #25 0x00007f3fbd638cbd in clone () from /lib/x86_64-linux-gnu/libc.so.6

          elenst Elena Stepanova added a comment - Similar crash on a non-debug build (not with the same test case): #2 <signal handler called> #3 Field_newdate::cmp (this=0x7f3f91f185a0, a_ptr=0x7f3f90fffffd "D\243\017"<error: Cannot access memory at address 0x7f3f91000000>, b_ptr=0x7f3f9205314e "D\243\017\312Ă”?\177") at /home/elenst/git/bb-10.1-mdev-9304/sql/field.cc:6394 #4 0x00007f3fbfc41720 in group_concat_key_cmp_with_order (arg=<optimised out>, key1=0x7f3f90ffffd0, key2=0x7f3f92053121) at /home/elenst/git/bb-10.1-mdev-9304/sql/item_sum.cc:2975 #5 0x00007f3fbffe9314 in tree_insert (tree=0x7f3f91ec7770, key=0x7f3f92053121, key_size=0, custom_arg=0x7f3f91ec7620) at /home/elenst/git/bb-10.1-mdev-9304/mysys/tree.c:211 #6 0x00007f3fbfc45919 in Item_func_group_concat::add (this=0x7f3f920b0120) at /home/elenst/git/bb-10.1-mdev-9304/sql/item_sum.cc:3313 #7 0x00007f3fbfa86061 in aggregator_add (this=<optimised out>) at /home/elenst/git/bb-10.1-mdev-9304/sql/item_sum.h:521 #8 update_sum_func (func_ptr=0x7f3f91d42de0) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:23152 #9 end_send_group (join=0x7f3f91dd7620, join_tab=<optimised out>, end_of_records=<optimised out>) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:19608 #10 0x00007f3fbfa6c536 in evaluate_join_record (join=join@entry=0x7f3f91dd7620, join_tab=join_tab@entry=0x7f3f91cc27a0, error=error@entry=0) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:18506 #11 0x00007f3fbfa73885 in sub_select (join=0x7f3f91dd7620, join_tab=0x7f3f91cc27a0, end_of_records=<optimised out>) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:18320 #12 0x00007f3fbfa812cd in do_select (join=join@entry=0x7f3f91dd7620, fields=fields@entry=0x7f3f91dd7a78, table=table@entry=0x0, procedure=0x0) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:17936 #13 0x00007f3fbfa90340 in JOIN::exec_inner (this=0x7f3f91dd7620) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:3228 #14 0x00007f3fbfa921f7 in JOIN::exec (this=0x7f3f91dd7620) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:2518 #15 0x00007f3fbfa8e944 in mysql_select (thd=thd@entry=0x7f3f99ad7008, rref_pointer_array=rref_pointer_array@entry=0x7f3f99adb2a8, tables=0x7f3f91c35a20, wild_num=<optimised out>, fields=..., conds=<optimised out>, og_num=2, order=0x7f3f92171490, group=0x0, having=0x0, proc_param=0x0, select_options=2147781376, result=result@entry=0x7f3f6f565760, unit=unit@entry=0x7f3f99ada8d0, select_lex=select_lex@entry=0x7f3f99adafe0) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:3451 #16 0x00007f3fbfa8f4f4 in handle_select (thd=thd@entry=0x7f3f99ad7008, lex=lex@entry=0x7f3f99ada808, result=result@entry=0x7f3f6f565760, setup_tables_done_option=setup_tables_done_option@entry=0) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_select.cc:384 #17 0x00007f3fbfa3a9f9 in execute_sqlcom_select (thd=thd@entry=0x7f3f99ad7008, all_tables=0x7f3f91c35a20) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_parse.cc:5902 #18 0x00007f3fbfa46cb0 in mysql_execute_command (thd=thd@entry=0x7f3f99ad7008) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_parse.cc:2961 #19 0x00007f3fbfa49f06 in mysql_parse (thd=0x7f3f99ad7008, rawbuf=<optimised out>, length=<optimised out>, parser_state=0x7f3f9136c1e0) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_parse.cc:7302 #20 0x00007f3fbfa4ceed in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x7f3f99ad7008, packet=packet@entry=0x7f3f99add009 "", packet_length=packet_length@entry=1020) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_parse.cc:1487 #21 0x00007f3fbfa4d681 in do_command (thd=0x7f3f99ad7008) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_parse.cc:1109 #22 0x00007f3fbfb0228c in do_handle_one_connection (thd_arg=thd_arg@entry=0x7f3f99ad7008) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_connect.cc:1349 #23 0x00007f3fbfb02407 in handle_one_connection (arg=0x7f3f99ad7008) at /home/elenst/git/bb-10.1-mdev-9304/sql/sql_connect.cc:1261 #24 0x00007f3fbdf0be9a in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #25 0x00007f3fbd638cbd in clone () from /lib/x86_64-linux-gnu/libc.so.6
          bar Alexander Barkov added a comment - - edited

          This scrip also repeats the problem:

          DROP TABLE IF EXISTS t1;
          		 
          CREATE TABLE t1 (f1 DATE, f2 VARCHAR(1));
          		 
          INSERT INTO t1 VALUES ('2003-04-27','a'),('1900-01-01','a');
          		 
          SELECT GROUP_CONCAT(IFNULL('a',f1), f2, f1 ORDER BY 1,2,3) FROM t1;

          Note, if I insert only one value instead of two, valgrind still reports the problem in dump_leaf_key(), while the problem in Field_newdate::cmp() disappears.

          bar Alexander Barkov added a comment - - edited This scrip also repeats the problem: DROP TABLE IF EXISTS t1; CREATE TABLE t1 (f1 DATE, f2 VARCHAR(1)); INSERT INTO t1 VALUES ('2003-04-27','a'),('1900-01-01','a'); SELECT GROUP_CONCAT(IFNULL('a',f1), f2, f1 ORDER BY 1,2,3) FROM t1; Note, if I insert only one value instead of two, valgrind still reports the problem in dump_leaf_key(), while the problem in Field_newdate::cmp() disappears.

          People

            bar Alexander Barkov
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.